Saturday, September 7, 2013

"It's Alive!" The Resurrection of a Chromebook

It boots again, although it's personality seems subtly different somehow. It's currently running the default Parrot firmware - which I believe is responsible for the difference. I'm still trying to figure out how to reconstruct the factory firmware, but I'm fairly confident that I'll get there eventually.

The problem, as I understand it, is that part of the firmware (the Intel Management Engine) is actually "cloaked" by the time the CPU is initialized. As a result, a backup copy of the firmware read by Flashrom is invalid. To conceal this code, the EC (Embedded Controller) returns 0xFF for every byte in this region. Since Flashrom is unaware of this trickery, it merely writes the fake data (0xFF) to the backup copy. If this backup is then written back to the EEPROM, it writes 0xFF over the entire Intel ME and Viola! You just turned your Chromebook into a brick!

I have confirmed all of this information to my satisfaction by examining multiple firmware images. Given these facts, what I can't understand is why "the hack" doesn't produce a brick every time it's attempted!